0

Well, I've a variable called $bname and it's values is: cat. So if i use following query I don't get any error.

$sql = mysql_query("SELECT * FROM w_b_page WHERE bname = '" .$bname. " '");

BUT if the variable $bname values is cat's then the query is showing error message:

Error Message:

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in 
E:\Software Installed\xampp\htdocs\wisper\businesspage.php on line 31


Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in 
E:\Software Installed\xampp\htdocs\wisper\businesspage.php on line 36

Why it's showing me this error message ?

Alex
  • 13
  • 5
  • 2
    Looks like a classic SQL injection issue. The ' in cat's is closing the bname string comparison early before intended. See http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Steve Chambers Aug 11 '13 at 16:08
  • Please show your code for `mysql_num_rows` and `mysql_fetch_array`.. and in MySQl, replace `$bname` with a placeholder and run this straight through the MySQL Cli or PHPmyadmin query window, for more exact errors. – Daryl Gill Aug 11 '13 at 16:09
  • $sql = mysql_query('SELECT * FROM w_b_page WHERE bname = "' .$bname. '"'); Try this – Anish Aug 11 '13 at 16:12

4 Answers4

2

You're getting that error because the query failed and $sql is false.

First to fix your query, you should make sure $bname is escaped properly. Use mysql_real_escape_string. i.e. 

$bname = mysql_real_escape_string($bname, $con); // where $con is your database connection
$sql = mysql_query("SELECT * FROM w_b_page WHERE bname = '" .$bname. " '");

A better approach to do this would be: 

$bname = mysql_real_escape_string($bname, $con); 
$sql = mysql_query("SELECT * FROM w_b_page WHERE bname = '" .$bname. " '");
if (!$sql) {
  die('Invalid query: ' . mysql_error());
}

The above method will show you what the error is in details.

Lastly, keep in mind that mysql_ functions are deprecated. You should look into using mysqli or pdo.

vee
  • 37,584
  • 7
  • 71
  • 74
  • So what's the actual query ? – Alex Aug 11 '13 at 16:11
  • Look, I'm getting all user info from mysql db with this $bname. So user have right to use cat's or cat. So what should i do know ? – Alex Aug 11 '13 at 16:13
  • @Alex Please read the manual on `mysql_real_escape_String` http://php.net/manual/en/function.mysql-real-escape-string.php to have a further understanding on what this does, do not resort to having a long `str_replace` function to escape your dilema, when mysql_real_Escape_String does all the escaping for you – Daryl Gill Aug 11 '13 at 16:14
  • @vinodadhikary You have exampled `mysqli_*` and `mysql_*` functions, please fix – Daryl Gill Aug 11 '13 at 16:15
  • @DarylGill, thanks. Copy page error. Fixed. – vee Aug 11 '13 at 16:16
  • @vinodadhikary if i used this mysql_real_escape_string it's escape the ' with backslashes. But then the mysql result will be failed because of the $bname value is cat's. It's inputed by user and he have right to add '. – Alex Aug 11 '13 at 16:17
  • 1
    @Alex Try this example, and post the results. – Daryl Gill Aug 11 '13 at 16:18
  • @vinodadhikary it's Worked! Thanks a Lot. – Alex Aug 11 '13 at 16:25
0

Problem:

A ' ' is used to represent a String literal.

Example: a string is represented this way 

'Sample'

So when you have cat's it thinks that ' is a part of a string literal that starts with s and also it dosent find a ending '. Hence the error.

Solution:

What you need to do is: escape it with \ So $bname should have the value cat\'s

Refer this manual.

codeMan
  • 5,530
  • 2
  • 24
  • 50
0

' is an escaping charecter. You need to use '\' in your query.

SELECT * FROM w_b_page WHERE bname = 'cat\'s'

See fiddle

Praveen Prasannan
  • 6,970
  • 10
  • 50
  • 70
0

try:

$bname = str_replace("'","\'",$bname);
$sql = mysql_query("SELECT * FROM w_b_page WHERE bname = '" .$bname. " '");
Angus Walker
  • 348
  • 3
  • 12